Skip to content
New Venue Data
Webhooks

Verifying webhook signatures

Confirm that a webhook really came from us using the signing secret and an HMAC check.

Because your webhook URL is reachable by anyone, you must verify that each request is genuinely from New Venue Data before acting on it. We sign every delivery with a secret that only you and we know.

The signature header

Every delivery includes an X-LS-Signature header. It is an HMAC-SHA256 of the raw request body, keyed with your endpoint signing secret (found next to the webhook in Settings).

Verifying it

import crypto from "crypto"

function verify(rawBody, header, secret) {
  const expected = crypto
    .createHmac("sha256", secret)
    .update(rawBody)
    .digest("hex")
  return crypto.timingSafeEqual(
    Buffer.from(header),
    Buffer.from(expected)
  )
}

Critical details

  • Compute the HMAC over the raw, unparsed body — JSON re-serialization changes bytes and breaks the check.
  • Use a constant-time comparison to avoid timing attacks.
  • Reject the request if verification fails, and never log the signing secret.

Was this article helpful?

Still stuck? Our team is happy to help.

YesNo
Contact support
Back to Help Center

Related articles

Webhooks

Setting up your first webhook

Register an endpoint, choose your filters, and start receiving new license filings in real time.

Read articleWebhooks

Webhook retries and handling failures

What happens when your endpoint is down, how retries are scheduled, and how to replay missed events.

Read article

Start monitoring Florida in minutes.

No contracts. Cancel any time. County plan from $149/month.

Start Free Trial Talk to Sales